Date: Sat, 16 Dec 2017 01:43:26 -0600
From: Jeffrey Goldberg <jeffrey@...dmark.org>
To: passwords@...ts.openwall.com
Subject: Re: Authentication vs identification
I wrote about this fairly extensively recently in
https://blog.agilebits.com/2017/09/14/why-is-this-information-sensitive-the-deeper-equifax-problem/
I tried to explain the difference so that I could then whine about the danger of using knowledge of non-secret identifiers as authentication proofs.
Roughly, identification is the process of figuring out who we are talking about. For many systems, a username is all that is needed. A username is all and only what is needed to identify a particular account on the system. Knowledge of an identifier does not prove that you are that person.
In other circumstances, one might need a name and a date of birth to uniquely identify the appropriate record.
Authentication typically requires proof of access to a secret that only the prover should have.
Although authentication typically requires the active participation of the prover, while identification may not, that is not the crucial distinction. It would be a mistake to define the difference in those terms.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
https://1password.com
> On Dec 15, 2017, at 9:53 AM, Matlink <matlink@...link.fr> wrote:
>
> You won a point, Authentication¹ is often an action from the user
> (unless continuous authentification), while Identification is rather
> done by the service.
>
> ¹: I previously made a typo cause in french the translation is very close.
>
>
> Le 15/12/2017 à 16:49, e@...tmx.net a écrit :
>> On 12/15/2017 04:44 PM, Matlink wrote:
>>> Basically:
>>>
>>> Authentification is verifying
>>
>> by the user himself
>> (i prefer to make definitions precise, which voice is active and which
>> is passive)
>>
>>> that an user is really the one she's
>>> pretending to be (i.e. by asking for a password).
>>
>>
>>> Identification is trying to put an identity on someone, like her name is
>>> Alice Smith from London (or less precisely by tracking her across
>>> websites).
>>
>> in other words "THEY DO IT TO YOU"
>> with or without your consent,
>> although you need them to do it to you for your benefit quite often.
>>
>>
>>> Le 15/12/2017 à 16:32, Alex Smirnoff a écrit :
>>>> It confuses me as well. Isn't it exactly the opposite? Identification
>>>> involves a person, and authentication involves abstract "entity" which
>>>> could be non-person, group of people or whatever.
>>>>
>>>> On Fri, Nov 24, 2017 at 09:29:16AM +0100, Eugene Panferov wrote:
>>>>> it dawned on me recently, the difference between the two is easy to
>>>>> grasp
>>>>> and easy to formulate:
>>>>>
>>>>> You do want exactly one man to be capable of authentication.
>>>>> You do want multiple men to be capable of identification.
>>>
>>
>
> --
> Matlink - Sysadmin matlink.fr
> Sortez couverts, chiffrez vos mails : https://café-vie-privée.fr/
> XMPP/Jabber : matlink@...link.fr
> Clé publique PGP : 0x186BB3CA
> Empreinte Off-the-record : 572174BF 6983EA74 91417CA7 705ED899 DE9D05B2
>
>
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3367 bytes)